In my first IoT Agenda post, I discussed how the internet of things and the industrial internet of things are dramatically expanding organizations’ attack surfaces and introducing new security and compliance risks. In this article, I want to focus on how IoT and IIoT have escalated the importance of gaining visibility into and control over cloud computing and edge computing environments.
Before we can truly appreciate the role of cloud and edge computing in IoT/IIoT, we need to first have a basic understanding of how IoT works. At a very high level, distributed IoT/IIoT infrastructures consist of IP-enabled sensors, processors and other devices that collect data and then use some form of connectivity (e.g., Wi-Fi, Bluetooth) to push that data to the cloud for processing, analysis and action.
From a security standpoint, the IoT and IIoT devices themselves must be protected because they are part of the network ecosystem and, if compromised, can serve as a gateway to IT and operations technology (OT) networks, as well as the treasure trove of information they contain. Implementing proper cloud security measures is equally important, since the cloud is home to data aggregation and analytics processes — and end users rely on this information for decision-making and to take appropriate action.
Using the cloud for IoT/IIoT data analysis works just fine in many instances, but not all — and this is where edge computing comes in. Public cloud data centers are usually located in remote places, far away from the end users they serve. Because of these distances, sending IoT/IIoT data to the cloud for analysis and then delivering it back locally takes time — time that some users just don’t have, for example, a doctor relying on an IoT medical device, or a facilities manager in charge of a nuclear power plant.
Edge computing processes data in close proximity to the site of data generation, which eliminates latency and performance issues, enabling real-time control decisions. Given these benefits, edge computing is being increasingly adopted within organizations that rely on IoT to provide instantaneous machine-to-machine interactivity and responsiveness. This has made edge infrastructure security more important than ever — but many IT security teams struggle with edge security, especially within IIoT environments.
Securing the edge
The issues associated with securing edge computing in an IIoT environment are, at a conceptual level, the same as any other networked connectivity, namely:
- Privacy: An assurance of privacy of the communication between parties (i.e., data encryption);
- Authentication: Enforcing assurance that parties are who they say they are before allowing access to edge networks and devices; and
- Authorization: A mechanism of authorization to the various services to which parties are entitled.
However, while there are well-known solutions to these challenges in traditional, legacy computing environments, IIoT environments remain challenging. The reason is that OT networks were, until recently, isolated from IT networks and the internet, so industrial control systems, sensors, controllers and other IIoT endpoints weren’t exposed to common IT threats and, therefore, weren’t designed to run security software — there simply wasn’t a need for them to have this ability. Today, however, this is all changing as OT networks merge with IT networks, and once isolated IIoT systems and devices are now IP-enabled — but still lack the power, compute cycles and storage to run security software.
This has presented IT security teams with several security challenges. First, in many cases, security teams won’t be able to “bolt on” security at all; they’ll need to replace the OT endpoints altogether, which takes time, money and resources. Second, for those endpoints that do have the capacity to run security software, the overhead of adding encryption, authentication and authorization systems and processes may actually increase latency, which would negatively impact real-time embedded OT endpoints responsible for sub-second or even millisecond reaction times. This would be a major step back, since reduced latency is the reason edge computing emerged in the first place. And last, but certainly not least, edge and endpoint OT devices are often located in inaccessible, less hospitable environments, making it very expensive for organizations to implement and maintain security.
OT networks will eventually adopt IT security processes and protocols, but revamping products and infrastructures in this way will take decades. What can be done today?
Security starts with visibility
When it comes to IoT/IIoT, it’s important for organizations to have an accurate understanding of not only their IT/OT networks, but their cloud and edge computing infrastructures as well. In other words, they must be able to answer questions such as: Who has access to what endpoints? Are IoT, edge and cloud systems being properly managed? Are there leak paths to and from the internet that could be compromised by cybercriminals? Is network traffic normal? And the list goes on.
The only way to answer these questions is by gaining visibility into three equally important areas:
- Visibility into all endpoints and assets across all computing environments;
- Visibility into how those endpoints are connected to the enterprise, the internet and each other; and
- Visibility into whether the endpoints and subsequent traffic are expected, or if they indicate suspicious behavior, anomalous activity or rogue devices.
You can’t protect what you can’t see. The first step to winning the IoT/IIoT security battle — whether in an IT or OT environment — is visibility. Once visibility is achieved, organizations have access to the information they need to fully understand their risk posture, prioritize security strategies based on this understanding, and use IoT/IIoT data and other next-gen technologies to advance business processes without introducing unnecessary risks.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.